Openclaw Backup Optimized
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-backup-optimized Version: 1.0.1 The skill is designed to back up the entire OpenClaw home directory (`~/.openclaw`) and push it to a user-configured Git repository (`BACKUP_REPO_URL`) using `git push --force`. While this aligns with the stated purpose of a backup skill, it involves handling highly sensitive data and exfiltrating it to an external endpoint, which, if misconfigured or pointed to a malicious repository, could lead to data theft or loss. The use of `git push --force` is a powerful and potentially destructive operation. These capabilities, though plausibly needed for a backup, are high-risk and warrant a 'suspicious' classification due to the potential for misuse or unintended consequences, as seen in `scripts/backup.js` and `SKILL.md`.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A backup may include sensitive agent state and private workspace data, and that state may later be restored or reused.
The script explicitly treats OpenClaw config, memory, and workspace as backup content, excluding only a few noisy session files. Those areas can contain private prompts, agent memory, account configuration, or project data.
const comment = 'Backup OK. Full snapshot (config + memory + workspace) to minimize recovery time. Excluded .jsonl.lock and .jsonl.deleted.* session files to reduce noise.';
Review the backup contents before enabling automation, add exclusions for secrets/sessions/tokens, and use encryption or a private dedicated repository for any remote backup.
A misconfigured backup directory could delete local data, and a configured remote could have its main branch overwritten by the backup job.
The workflow recursively removes the configured backup directory during sync and force-pushes the configured Git remote. These are high-impact operations without visible path-safety checks or overwrite warnings.
await fsp.rm(dest, { recursive: true, force: true }); ... git(['push', '-u', 'origin', 'main', '--force'], OPENCLAW_BACKUP_DIR);Add safeguards that refuse unsafe paths, avoid `--force` by default, use a dedicated private backup repo/branch, and require explicit confirmation before first remote push.
Backups and remote pushes can continue automatically after setup, including after configuration mistakes.
The skill documents creating a persistent scheduled job. This is expected for automated backups, but it means the script will keep running in the gateway environment until disabled.
--cron "0 5,10,15,20 * * *" --exec "node ~/.openclaw/workspace/tools/openclaw-backup.js"
Enable cron only after testing manually, document how to remove the cron job, and monitor backup logs/notifications.
The job can post backup notifications to the configured Discord channel using whatever local OpenClaw permissions are available.
The script uses the local OpenClaw account's Discord messaging authority for notifications. This is disclosed and purpose-aligned, but registry metadata declares no credentials or env vars.
spawnSync('openclaw', ['message', 'send', '--channel', 'discord', '--target', BACKUP_CHANNEL_ID, '--message', payload]Use least-privilege OpenClaw/Discord access and declare the required env vars and account authorities in metadata.
A future install could resolve newer dependency versions than the author tested.
The script depends on external packages using semver ranges, and no lockfile or install spec is provided in the artifacts.
"dependencies": { "minimatch": "^9.0.5", "tar": "^6.2.1" }Pin dependencies with a lockfile and provide an explicit install specification for Node, git, and npm package setup.